Solved: Re: How to combine two fields into one field?

splunknewby · ‎06-21-2015

How do I combine two fields into one field? I've tried the following (http://answers.splunk.com/answers/8334/help-with-combining-fields.html) options, but the:

eval IP = src_ip." / ".dst_ip

However, this does not result in a new IP field in my searches.

MuS · ‎06-21-2015

Hi splunknewby,

this works perfect with this example:

| gentimes start=-1 | eval src_ip="1.1.1.1" | eval dst_ip="2.2.2.2" | eval IP = src_ip." / ".dst_ip

Do you get src_ip or dst_ip fields in your events? Because this will only work if you get those fields in the search result.

cheers, MuS

aljohnson_splun · ‎06-22-2015

are you maybe looking to make the values for each field accessible under one field's name ?

... | eval combined_ip = coalesce(src_ip, dst_ip)

woodcock · ‎06-22-2015

Some fields may not always have a value so try this:

...  | fillnull src_ip dst_ip | eval IP = src_ip . " /  ". dst_ip

MuS · ‎06-21-2015

Hi splunknewby,

this works perfect with this example:

| gentimes start=-1 | eval src_ip="1.1.1.1" | eval dst_ip="2.2.2.2" | eval IP = src_ip." / ".dst_ip

Do you get src_ip or dst_ip fields in your events? Because this will only work if you get those fields in the search result.

cheers, MuS

splunknewby · ‎06-25-2015

Thanks MuS.

MuS · ‎06-25-2015

You're welcome 🙂

How to combine two fields into one field?